Hi everyone,
I would like to have 2 users with separate ACLs for openldap:
uid=Ldaproot,dc=domain,dc=com with full access to the database.
uid=Sambaroot,dc=domain,dc=com with access only to samba entries which
belong to the samba* attribute types and also to ou=Machines and ou=Idmap.
I do not want to have a rootdn entry in slapd.conf. The Ldaproot user
will have a kerberos principal with an unknown password that will be
stored in a keytab which will be used to perform gssapi auths whenever we
need to add/remove information to ldap using some scripts.
Since Sambaroot needs to have an entry in /etc/samba/secrets.tdb which is
pretty much plaintext and since samba cannot use keytabs, I would like to
provide the user uid=Sambaroot,dc=domain,dc=com with ACLs to be able to
add one entry to the root of the ldap database:
dn: sambaDomainName=GT-MATH-TEST,dc=math,dc=gatech,dc=edu
objectClass: sambaDomain
sambaDomainName: GT-MATH-TEST
sambaSID: S-1-5-21-2135209786-3363987198-2266210874
sambaAlgorithmicRidBase: 1000
The information above changes with the domain name, so it is not like I
can add it once as Ldaproot and then let Sambaroot modify it.
How do I create an ACL to allow uid=Sambaroot to add such entry without
giving full write access?
I also need to allow Sambaroot to modify all attributetypes for samba. Is
there any other way to do this better than:
access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attr=objectClass
by * read
( I need to do the one above or the one below will block read acces to
everything since objectClass is listed as an attribute).
access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attrs=sambaSID,samba
LMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,s
ambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,sambaHo
mePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,sambaPrimaryGroupSI
D,sambaDomainName,displayName,objectClass
by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
Thanks,
Diego
----------------------------------
Diego Julian Remolina
System Administrator
School of Mathematics
Georgia Institute of Technology
----------------------------------